Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"Unknown Botnet Checkin"; flow:established,to_server; content:"POST"; http_method; content:"BCDEF="; http_client_body; content:"&MNOPQ="; http_client_body; content:"&GHIJ="; http_client_body; content:"&UVWXYZ="; http_client_body; content:"&st="; http_client_body; content:"Content-type|3a 20|application/x-www-form-urlencoded"; http_header; classtype:trojan-activity; sid:20166276; rev:1; metadata:created_at 2018_12_19;)
- rule unknown_bot
- {
- meta:
- description = "Unknown bot"
- author = " James_inthe_box"
- reference = ""
- date = "2018/12"
- maltype = "Bot"
- strings:
- $string1 = "bqqmjdbujpo0y.xxx.gpsn.vsmfodpefe"
- $string2 = "BCDEF=%s&MNOPQ=%s&GHIJ=%s&UVWXYZ=%s&st=%d"
- $string3 = "%s %s %s"
- $string4 = "Content-length: %d"
- $string5 = "DFCB="
- $string6 = "ID=%s"
- condition:
- all of ($string*)
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement